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Remote e-voting overview 


We can divide the process of voting in 4 distinct categories: In-person paper voting, In-person e-voting, Remote paper 
voting and Remote e-voting (REV'). Electoral processes must guarantee certain proprieties’ as well as provide cybersecurity when 
done electronically*. The goal of this short paper is to do a small overview of the current tools of the ecosystem of remote e-voting 


and pin-point key components that will play an important role in its foreseeable evolution. 


1 SUBJECT 


Remote e-voting is the ability for a user to cast a vote during an election, or to answer a poll, from their own computer in 
any location with immediate effect. Elections that are run electronically are important because they are able to generate consensus 


faster than traditional voting and perhaps cheaper, considering that the same infrastructure can be re-used in different cycles. 


2 USE CASES 


One of the first pilot experiments with remote e-voting was in Estonia and took place in 2005 for the local elections where 
around 1% of the voters used the system. This later culminated in the 2019 Estonian parliamentary elections where 565 045 people 
voted of which 247 232 cast their votes on-line, at home, over the internet, which is about 43.8% of the total of the votes cast. Estonia 
is so far the only country to deploy remote e-voting for national elections across the entire population of the country.’ To achieve 
this it made use of the smart card elD issued by their government. 

In Switzerland, remote e-voting has been occurring a little bit earlier, since 2003, the first time in the small commune 
Anieres that is part of the canton of Geneva. Between 10-20% of the total of votes of permanent residents have since been cast over 
the internet while for the expat community it has been registered between 40-70% on-line voter turnout, depending on the specific 
cantons.’ Switzerland uses a different mechanism other than smart cards for identification however, which relies solely on in- 
presence registration at the corresponding cantons and the insertion of a series of codes that are sent to the corresponding 
residential address by letter. 

The Switzerland experience contrasts with Estonia's in that it has been occurring more at a local than at a national level. 

Colombian government and FARC in 2016 went on a plebiscite for a peace treaty wherein around 5 400 000 otherwise 
excluded expats were able to express their opinion on-line through digital tools.° 

South Korea successfully deployed a small-scale remote e-vote polling in the most populous province, Gyeonggi-do, with 
around 9000 participants that decided the destiny of 527 community projects. The trial used blockchain for improved security which 
has seen strong support for adoption by national authorities that plan to invest $380 million between 2021-2026. The Ministry of 


Science and Technology plans to implement DID’ at a national level by the end of 2022. 


Other trials have been conducted with relative success at varied scales in other countries as the technology behind remote e-voting 


becomes better understood. There are numerous examples of private companies that claim to be able to accomplish this. 


3 BASIC PROPRIETIES 


The biggest challenge of remote e-voting is to achieve high level of security under an uncontrolled environment and 
insecure platform. E-voting properties and many different classifications that set the minimum requirements are already established. 
Some of these classifications are just the same properties under different names such as: confidentiality, integrity, privacy, 


democracy, universality, verifiability, etc.. Regardless, the goal is always to conciliate two apparently mutually exclusive proprieties: 
Verifiability 
Verifiability is the ability of any independent party to verify that all votes were counted correctly. Additionally, it should 


give voters the ability to verify that their own vote has been properly emitted, recorded and counted for the final tally results. The 


pursuit of this propriety culminated in the idea of end-to-end verifiability® (E2E-VIV). Intuitively, what this system must provide is 


the ability for voters to detect fraud by distributing receipts for each vote while simultaneously preventing these from being used as 
proofs of their orientation to a third-party, in order to avoid coercion. Current practices stipulate that all receipts should be posted 


publicly in a secure append-only bulletin board once the final tally is published. 


Privacy 


The remote e-voting system must protect voters by concealing the relation between the voter and the votes cast, ensuring 
that the choice's made remain private. This can be expressed via several security properties”: 

Basic ballot integrity guarantees that no one in possession of the (digital) ballots can disclose how voters voted 
individually while still being able to tally the results. 

In the literature, receipt-freeness means protecting the voting process even when voters willingly interact with an 
attacker. Coercion-resistance, less strongly, is considered when an honest voter is, during some time, under the control of an 
attacker. Both these conditions assume that a voter should not be able to prove conclusively to anyone else how the vote was cast. 

Protection from social profiling should also be considered by using a mix-net (an overlay network), correlations between 
the votes, the voters and their geolocations should be concealed. 

Various concepts like receipt free voting, E2E, third-party verifiability, etc., led to development of different protocols. A 
common critical aspect concerns identity management, fundamenal to guarantee that each person can vote at most once during 
each election. The concept of a PKI (public key infrastructure) helps by providing an easy and highly secured way for authentication. 
PKI ensures that sensitive information is encrypted and can only be reverse verified with special keys that are in possession of only 
the voter and trusted entities, generally with the help of a CA (Certificate Authority). 

The whole system is thus divided and analyzed in several phases or layers. With proper design each layer can be checked 
as well as the transactions in-between. Some interesting remote e-voting systems that offer end-to-end verifiability, under certain 


configuration assumptions, that were found during our research were Remotegrity"', EVIV” and VoteAgain”. 


4 TECHNOLOGIES 


Public-Key, Zero-Knowledge and Homomorphic Encryption 


PKls are well established cryptographic algorithms and the necessary underlying infrastructure that can be used to form 
secure channels between two parties while guaranteeing confidentiality, data integrity and identity." 

Although Public-Key Infrastructure does provide some of the necessary building blocks for secure communications, 
registering and authenticating elDs generally relies on the issuance of digital certificates from a CA (the government or other public 
institutions) and the integrity of these is tied to the good behavior of the officials who issue and manage the certificates. Recently, 
decentralized PKI schemes which rely instead on a Network of Trust and blockchain were proposed to mitigate this design flaw. * 

Zero-Knowledge Proofs (ZKP) are a way to prove to a party that you are in the possession of some information (a secret) 
without revealing it during communications. It's useful for anonymous authentication and consequentially, private voting. '®'”" 

Homomorphic encryption allows votes to be saved and later tallied without disclosing clear-data. It achieves this by doing 
computations on top of ciphertexts and is useful to guarantee ballot integrity” when publishing a bulletin-board of the votes. 

There are other cryptographies that may also prove to be useful such as Multi-Party computation”, as an example 


whenever guaranteeing shared trust between members of a small set is a necessity. 


PKI is embedded in government issued smart card elDs. 


Trusted Execution Environment 


As mentioned unsecured platforms pose serious problems. We need to ensure that the applications necessary for remote 
e-voting are running in isolated environments in order to protect the voter's machine against malware. TEE”' allows this by 
structuring access to hardware resources separately from the rich OS. With the proper setup of a nanokernel, with the use of 
microcode and private keys stored in firmware, namely in ROMs (Read-only Memory), and assuming a trust relationship between 
the hardware provider and the end-user, TEE allows the secure handling of private keys on the voter's machine and may be used to 
reassure that the correct software is running in isolation to other potentially malicious processes; however, this is frail in situations 
where backdoors are hidden that bypass security checks. This can only be alleviated by promoting open source software and 


hardware and is currently an issue given the monopoly of hardware manufacturers. 


This technology is implemented in some of the AMD, Intel, ARM and RISC-V CPUs”. Smart cards are also one form of 


TEE because of their embedded microchips which are obviously detached from the devices with which they operate.” 


Distributed ledgers 


The blockchain™ is a new technology for storing data in a secure and transparent way which is not subject to any form of 
central control. It provides strong resilience against attacks that can tamper the integrity of the data by making use of the 
immutability propriety that can be obtained from distributed ledgers. 

The technology is based on a decentralized network consisting of multiple connected nodes that can interchange data 
transactions, are geographically disjoint, have different owners and which operate as a single database. The design makes it possible 
for the information stored in the blockchain to be preserved permanently and without the possibility of it being modified in one of 
the nodes without detection. It also ensures high availability by eliminating single points of failure (Byzantine fault tolerance) while 
always providing verifiability as all nodes maintain the consensus version of the ledger. Smart contracts are a novelty in the sense 
that blockchains become not only databases but can function as decentralized applications (dApps) as well. 

The main purpose of using blockchain in remote e-voting is to guarantee that the servers where data is stored and 


processed are not in control of a single entity (although different parties may be assigned different roles). 


Overlay networks 


Encryption (with the use of PKI) is enough to guarantee some degree of privacy. However, it does not deal with the risks 
of correlating the voters machine IP address, which is present in the exchanged data packets and which can be traced to specific 
geolocations. To protect against this type of attacks a technique known as onion routing can be deployed by using overlay networks; 
a network that is layered on top of another network and used to scramble and hide the IPs. 

The basic idea is that the signal between each node of the network is randomly mixed between a set of proxies, also 
known as relays (nodes). This is coupled with the procedure that at each intersection of the packet's route, information is carried 
only about the predecessor and successor nodes but not of the entire mapping. 

This architecture if properly setup can be used to obfuscate the user's source and destination IPs. No-Log VPNs may 
provide this service but require some level of trust between the users and the VPN provider. 

Tor” on the other hand, is a decentralized trustless solution first developed by the U.S. Navy in the mid-1990s which 


provides reasonable anonymity against non-state actors. 


Endpoint monitoring 


Correct remote e-voting deployments must make use at each node of the decentralized infrastructure as well as on the 
end user's terminals, of proper endpoint threat detection and response techniques. These can range from the use of reverse firewalls 
and updated software to the correct choice and setup of the OS, which in particular, should be amnesic by default.” 

Additionally, practices such as never sharing personal smart cards with other users or sharing keys and passwords with 


the public are important. 


5 IDENTITY MANAGEMENT 


There are currently 53 countries that have smart cards as national ID documents of which we found 11 to provide publicly 
available SDKs: in Belgium, Cabo Verde, Czech Republic, Estonia, Germany, Italy, Latvia, Lithuania, Peru, Portugal and Uruguay. 

In 41 other countries in order to fully use elDs it's required to use specific software: such as in Afghanistan, Albania, 
Algeria, Bangladesh, Brunei, Croatia, Finland, Ghana, Guatemala, India, Indonesia, Ireland, Israel, Kuwaiti, Lebanon, Liechtenstein, 
Luxembourg, Malawi, Malta, Malaysia, Mauritius, Mongolia, Monaco, Morocco, Nepal, the Netherlands, Nigeria, Norway, Oman, 
Pakistan, Poland, Romania, Serbia, Slovakia, Somalia, Spain, Sweden, Thailand, Turkey, United Arab Emirates and Uruguay. 

We know that Philippines?’ has successfully deployed government issued smart card elDs but failed at finding 
information about the availability of the middleware. France” is soon to deploy smart card elDs. 

In other countries no elD service is provided and identification is mostly done in person and paper based, or dependent on 


centralized IT structures that issue a voter elD specifically during elections such as in the case of Switzerland. 


Another hypothetical way to implement remote e-voting is to make use of W3C DID standard. The only country that has 
pledged publicly to the allocation of public resources to this end is the already mentioned case of South Korea. In this spirit, 
CanDID” seems to be an interesting innovative approach to implement remote e-voting in countries that still rely on legacy systems. 


Biometrics may also prove to be an alternative to elD provided by state issued smart cards.” 


The present authors consider that the conditions to deploy E2E-VIV are to a large extent sufficiently understood and that 
further investment should be made. We also consider that with the exception of Estonia where national elections were already 
successfully conducted few other countries are actively pursuing this end. Most need to improve or disclose their technology in order 
to facilitate implementation. Disclosing official elD smart card SDKs in order to facilitate IDM is important for the ecosystem to 


evolve. 


6 FINAL REMARKS 


The present authors consider that the conditions to deploy E2E-VIV are to a large extent sufficiently understood and that 
further investment should be done. We also consider that with the exception of Estonia where national elections were already 
successfully conducted few other countries are actively pursuing this end. Most need to improve or disclose their technology in order 


to facilitate implementation. Disclosing official elD smart card SDKs is important for the ecosystem to evolve. 
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